SSH is a reasonably awesome tool: it enables encrypted, authenticated access to hosts across a network, whether across the LAN, across a WAN or across the Internet. But that authentication has a weak point: it defaults to Trust on First Use (TOFU); i.e., the first time one connects to a host, one is prompted about whether one wishes to trust that host or not. Most people just blindly trust the prompted key: after all, how likely is it that one’s very first connexion would be attacked? Well, probably not terribly likely. Still …
Here’s how one can prevent even a first-connexion man-in-the-middle
attack from succeeding, using
cloud-config (a standard for configuring
a new machine used, among others, by DigitalOcean). Simply provide
the configuration below as user data:
#cloud-config runcmd: - mkdir /etc/issue.d - (for k in /etc/ssh/ssh_host*.pub; do ssh-keygen -l -f $k; done) > /etc/issue.d/sshd.issue
This will print the SSH host key on the console login; you can use your cloud vendor’s remote console functionality to verify the SSH fingerprints before accepting the prompt. Of course, you have to trust your cloud provider — but if you don’t, then you really shouldn’t be using them at all!
After you have verified the initial key, you may wish to go in and
/etc/issue.d/sshd.issue, in order to reduce the text in the login
It would be really awesome to have a service which, on first boot, would generate a master host keypair and add the public key to the login console, then submit the SSH host keys, SSL keys and any other public keys to a Swiss-Army-knife CA, which upon approval would sign them and return them; an admin could then create a machine, open the CA UI, verify the signed submission and approve release.
But implementing that is a fair chore, while using this little
cloud-config snippet is easy.